UW ‘white-hat hacker’ searches for security holes

Originally published October 17, 2012 at 4:45 pm

Updated October 17, 2012 at 6:46 pm

University of Washington computer scientist Tadayoshi Kohno will be featured in a PBS science show Wednesday for his work that shows how cars, medical devices and other interconnected gadgets can be hacked.

For most people, computer security means just that: Keeping viruses off your desktop or laptop, your PC or your Mac.

But when Tadayoshi Kohno thinks of computers and security, he thinks about the vulnerabilities inherent in a whole range of devices that are increasingly connected wirelessly to the Internet, to cellphones or to each other.

A computer scientist at the University of Washington, Kohno has proved that you can hack and take over the circuitry of a pacemaker, an implantable defibrillator, a child’s toy, a mileage-tracking device for runners, and — perhaps most chilling of all — a car.

Kohno, 34, is so good at what he does that government regulators and manufacturers habitually beat a path to his door, in the UW’s computer science and engineering department, where he is an associate professor.

Kohno will be featured Wednesday on PBS’s NOVA scienceNOW, in an episode that examines whether science can help solve crime.

Appearing at the end of the hourlong show, Kohno demonstrates how he hacks into a car — opening its doors, starting the engine, and then, dramatically, taking control of its brakes to bring the vehicle to a skidding stop.

“Every system out there could be compromised in some way, by some adversary,” Kohno said. “My biggest concern about the future is we’re going to have this ubiquitous ‘Internet of things,’ but we haven’t thought adequately about computer security.”

At the UW, Kohno plays a kind of “what-if” game with his colleagues, trying to stay one step ahead of the bad guys by imagining how all kinds of devices that could be hacked and used for malicious intent.

The boyish scientist, who dresses like a student, describes his work as “very fun.”

“Yoshi has been on our radar for a while,” said Julia Cort, executive producer of NOVA scienceNOW. “What he’s discovering is going to be so surprising to some people — he’s hunting down these weaknesses in systems we have all around us.”

Kohno has published numerous papers and received several awards, including a Sloan Research Fellowship and a MIT Technology Review Young Innovator Award. He’s been at the UW since 2006. He’s quick to point out that many of the risks he investigates are somewhat theoretical, even though they make for good TV.

“There’s no such thing as perfect security, and no such thing as insecurity,” he said. “The question is, is this system sufficiently secure for my purposes?”

Effects of his research

Kohno shared his research about car-hacking, published with colleagues at the University of California-San Diego, with the auto industry and government regulators.

As a result, the U.S. Council for Automotive Research and SAE International, an automotive-engineering society, both created task forces to examine what should be done to make cars more secure, Kohno said.

The U.S. Department of Transportation and the National Highway Traffic Safety Administration have taken notice, too.

“I’ve been very impressed with the response from the automotive industry, and very pleased by how much they’re focusing on security these days,” he said.

Kohno has proved that it’s technically possible to hack into medical devices such as pacemakers and defibrillators.

He’s also shown that it’s possible to use a consumer product, the Nike+ iPod sport kit, to track a runner’s location — although, “to be honest, in that case, the risk is pretty low,” he said.

Still, it raises an interesting question for Kohno: “Even if the risk is low, if it’s possible to improve privacy, should companies do so?”

Kohno is the only professor at the UW whose area is computer security, but his work crosses other disciplines in the department.

He was attracted to the university in part by the collaborative reputation of its computer science and engineering department.

“There’s definitely a culture of tinkerers here, people who like to learn on their own, to build systems that understand vulnerabilities,” he said. “It is through being inquisitive that we start to ask, ‘Are there vulnerabilities? Are there ways of misusing this technology?’ “

Being an ethical hacker

Kohno teaches an undergraduate class in computer security, and one of the assignments he gives students is to scan announcements for new products, then figure out if these new devices could be vulnerable to hackers.

He and the other faculty and students in the UW’s Security and Privacy Research Lab have also created a card game, Control-Alt-Hack, designed to teach high school and college-age students about computer security.

Players take on the role of “white-hat hackers” — or ethical hackers — and perform security audits and provide consultation services. Production of the game was funded, in part, by Intel Labs and the National Science Foundation, and it will be distributed for free to educators.

“One of things that I really liked about Yoshi for a profile is that he really lives his work,” said Cort, the PBS producer. “It’s clear his work reflects his world view. He’s looking for security holes everywhere.”

Growing up in Boulder, Colo., Kohno said he had eclectic interests. He was drawn to computers because he enjoyed experimenting with them, treating a computer as a kind of laboratory for his creativity.

“I feel computer security is a very interesting subdiscipline of computer science because of the cat-and-mouse game we play,” he said. “It’s like a game of chess, always trying to outthink the other party.”